From b5d7b7986c73d973382ba2fe6c50d3b7857481a0 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Thu, 24 Mar 2016 22:41:04 +0000 Subject: [PATCH] Implement initial test inventory/plays This patch implements an initial set of inventory and playbooks which results in the successful convergence of a standalone build of Ironic. It also adds the rootwrap filters, implement config_template for all the conf files appropriately and ensures that the sudoers is implemented in the right order of execution. All content is based from the head of stable/mitaka on 24 Mar 2016. Change-Id: I9182951c394a8c52826480aba7bc7e4d437988c5 --- defaults/main.yml | 22 +- files/rootwrap.d/ironic-images.filters | 6 + files/rootwrap.d/ironic-lib.filters | 25 + files/rootwrap.d/ironic-utils.filters | 10 + meta/main.yml | 9 +- tasks/ironic_post_install.yml | 81 ++- tasks/ironic_pre_install.yml | 11 - templates/ironic.conf.j2 | 863 ++++++++++++++++--------- templates/rootwrap.conf.j2 | 27 + tests/ansible-role-requirements.yml | 48 +- tests/group_vars/all_containers.yml | 27 + tests/group_vars/ironic_all.yml | 17 + tests/inventory | 41 +- tests/test-install-infra.yml | 32 + tests/test-install-ironic.yml | 62 ++ tests/test-install-keystone.yml | 65 ++ tests/test-prepare-containers.yml | 33 + tests/test-prepare-host.yml | 77 +++ tests/test-prepare-keys.yml | 31 + tests/test-vars.yml | 69 ++ tests/test.yml | 24 +- tox.ini | 35 +- 22 files changed, 1254 insertions(+), 361 deletions(-) create mode 100644 files/rootwrap.d/ironic-images.filters create mode 100644 files/rootwrap.d/ironic-lib.filters create mode 100644 files/rootwrap.d/ironic-utils.filters create mode 100644 templates/rootwrap.conf.j2 create mode 100644 tests/group_vars/all_containers.yml create mode 100644 tests/group_vars/ironic_all.yml create mode 100644 tests/test-install-infra.yml create mode 100644 tests/test-install-ironic.yml create mode 100644 tests/test-install-keystone.yml create mode 100644 tests/test-prepare-containers.yml create mode 100644 tests/test-prepare-host.yml create mode 100644 tests/test-prepare-keys.yml create mode 100644 tests/test-vars.yml diff --git a/defaults/main.yml b/defaults/main.yml index 26581940..e79ae204 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -23,9 +23,9 @@ verbose: True # to build an environment directly from a git source without the presence # of an OpenStack-Ansible repo_server. ironic_git_repo: https://git.openstack.org/openstack/ironic -ironic_git_install_branch: master +ironic_git_install_branch: stable/mitaka ironic_requirements_git_repo: https://git.openstack.org/openstack/requirements -ironic_requirements_git_install_branch: master +ironic_requirements_git_install_branch: stable/mitaka ironic_developer_mode: false ironic_developer_constraints: - "git+{{ ironic_git_repo }}@{{ ironic_git_install_branch }}#egg=ironic" @@ -85,7 +85,6 @@ ironic_standalone: False # Database ironic_galera_user: ironic ironic_galera_database: ironic -ironic_galera_password: "gu1d0" # TODO(mrda): Manage secrets # Integrated Openstack configuration ironic_openstack_driver_list: agent_ipmitool @@ -149,12 +148,25 @@ ironic_conductor_standalone_apt_packages: ## RabbitMQ info ironic_rabbitmq_userid: ironic ironic_rabbitmq_vhost: /ironic -ironic_rabbitmq_password: ch4rl0tt3 # TODO(mrda): Manage secrets # Auth ironic_service_user_name: "ironic" -ironic_service_password: "4nn3" # TODO(mrda): Manage secrets # Apache settings ironic_wsgi_threads: 1 ironic_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}" + +### OpenStack Services to integrate with + +# Glance +# ironic_glance_host: x.x.x.x +ironic_glance_auth_strategy: "{{ ironic_openstack_auth_strategy }}" + +# Neutron +# neutron_service_adminurl: +ironic_neutron_auth_strategy: "{{ ironic_openstack_auth_strategy }}" + +### Config Overrides +ironic_ironic_conf_overrides: {} +ironic_rootwrap_conf_overrides: {} +ironic_policy_overrides: {} diff --git a/files/rootwrap.d/ironic-images.filters b/files/rootwrap.d/ironic-images.filters new file mode 100644 index 00000000..8c2aa7b5 --- /dev/null +++ b/files/rootwrap.d/ironic-images.filters @@ -0,0 +1,6 @@ +# ironic-rootwrap command filters to manipulate images +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# ironic/common/images.py: 'qemu-img' +qemu-img: CommandFilter, qemu-img, root diff --git a/files/rootwrap.d/ironic-lib.filters b/files/rootwrap.d/ironic-lib.filters new file mode 100644 index 00000000..1c543791 --- /dev/null +++ b/files/rootwrap.d/ironic-lib.filters @@ -0,0 +1,25 @@ +# An ironic-lib.filters to be used with rootwrap command. +# The following commands should be used in filters for disk manipulation. +# This file should be owned by (and only-writeable by) the root user. + +# NOTE: this file is a copy of ironic-lib.filters from the ironic-lib +# repository that should ultimately be remove. At this point, we still +# need it to avoid gate breakage and preserve compatibily with existing +# installation. + +[Filters] +# ironic_lib/disk_utils.py +blkid: CommandFilter, blkid, root +blockdev: CommandFilter, blockdev, root +hexdump: CommandFilter, hexdump, root +qemu-img: CommandFilter, qemu-img, root +wipefs: CommandFilter, wipefs, root + +# ironic_lib/utils.py +mkswap: CommandFilter, mkswap, root +mkfs: CommandFilter, mkfs, root +dd: CommandFilter, dd, root + +# ironic_lib/disk_partitioner.py +fuser: CommandFilter, fuser, root +parted: CommandFilter, parted, root diff --git a/files/rootwrap.d/ironic-utils.filters b/files/rootwrap.d/ironic-utils.filters new file mode 100644 index 00000000..46e82e5e --- /dev/null +++ b/files/rootwrap.d/ironic-utils.filters @@ -0,0 +1,10 @@ +# ironic-rootwrap command filters for disk manipulation +# This file should be owned by (and only-writeable by) the root user + +[Filters] +# ironic/drivers/modules/deploy_utils.py +iscsiadm: CommandFilter, iscsiadm, root + +# ironic/common/utils.py +mount: CommandFilter, mount, root +umount: CommandFilter, umount, root diff --git a/meta/main.yml b/meta/main.yml index ae9cfacb..a4c3e99f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -27,8 +27,9 @@ galaxy_info: - baremetal - system dependencies: + - apt_package_pinning - galera_client - - pip_install -# TODO(mrda): Add in openstack_openrc once this role is split out -# from openstack-ansible, as it's useful for standalone use. -# - openstack_openrc + - openstack_openrc + - role: pip_lock_down + when: + - not ironic_developer_mode | bool diff --git a/tasks/ironic_post_install.yml b/tasks/ironic_post_install.yml index e0ec1deb..5e6962e6 100644 --- a/tasks/ironic_post_install.yml +++ b/tasks/ironic_post_install.yml @@ -33,26 +33,73 @@ ironic_db_connection_string: "{{ ironic_openstack_db_connection_string }}" when: not ironic_standalone -- name: Build the ironic.conf configuration file - template: - src: "ironic.conf.j2" - dest: "/etc/ironic/ironic.conf" - mode: "0644" - owner: "root" - group: "root" - notify: - - Restart ironic services +- name: Get ironic command path + command: which ironic + register: ironic_command_path + when: + - not ironic_venv_enabled | bool tags: - - ironic-init + - ironic-command-bin -- name: Build the policy.json file - template: - src: "policy.json.j2" - dest: "/etc/ironic/policy.json" +- name: Set ironic command path + set_fact: + ironic_bin: "{{ ironic_command_path.stdout | dirname }}" + when: + - not ironic_venv_enabled | bool + tags: + - ironic-command-bin + +- name: Generate ironic config + config_template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner|default(ironic_system_user_name) }}" + group: "{{ item.group|default(ironic_system_group_name) }}" mode: "0644" + config_overrides: "{{ item.config_overrides }}" + config_type: "{{ item.config_type }}" + with_items: + - src: "ironic.conf.j2" + dest: "/etc/ironic/ironic.conf" + config_overrides: "{{ ironic_ironic_conf_overrides }}" + config_type: "ini" + - src: "rootwrap.conf.j2" + dest: "/etc/ironic/rootwrap.conf" + owner: "root" + group: "root" + config_overrides: "{{ ironic_rootwrap_conf_overrides }}" + config_type: "ini" + - src: "policy.json.j2" + dest: "/etc/ironic/policy.json" + config_overrides: "{{ ironic_policy_overrides }}" + config_type: "json" + notify: Restart ironic services + tags: + - ironic-config + - ironic-post-install + +- name: Copy ironic rootwrap filter config + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: "root" group: "root" - notify: - - Restart ironic services + with_items: + - { src: "rootwrap.d/ironic-images.filters", dest: "/etc/ironic/rootwrap.d/ironic-images.filters" } + - { src: "rootwrap.d/ironic-lib.filters", dest: "/etc/ironic/rootwrap.d/ironic-lib.filters" } + - { src: "rootwrap.d/ironic-utils.filters", dest: "/etc/ironic/rootwrap.d/ironic-utils.filters" } + notify: Restart ironic services tags: - - ironic-init + - ironic-config + - ironic-post-install + +- name: Include sudoers file + template: + src: "sudoers.j2" + dest: "/etc/sudoers.d/{{ ironic_system_user_name }}_sudoers" + mode: "0440" + owner: "root" + group: "root" + tags: + - ironic-api + - ironic-conductor diff --git a/tasks/ironic_pre_install.yml b/tasks/ironic_pre_install.yml index 4e885d0a..2566dd5b 100644 --- a/tasks/ironic_pre_install.yml +++ b/tasks/ironic_pre_install.yml @@ -114,14 +114,3 @@ tags: - ironic-api - ironic-conductor - -- name: Include sudoers file - template: - src: "sudoers.j2" - dest: "/etc/sudoers.d/{{ ironic_system_user_name }}_sudoers" - mode: "0440" - owner: "root" - group: "root" - tags: - - ironic-api - - ironic-conductor diff --git a/templates/ironic.conf.j2 b/templates/ironic.conf.j2 index 8acab56e..44a302f5 100644 --- a/templates/ironic.conf.j2 +++ b/templates/ironic.conf.j2 @@ -4,12 +4,17 @@ # Options defined in ironic.api.app # -# Authentication strategy used by ironic-api: one of -# "keystone" or "noauth". "noauth" should not be used in a -# production environment because all authentication will be -# disabled. (string value) +# Authentication strategy used by ironic-api. "noauth" should +# not be used in a production environment because all +# authentication will be disabled. (string value) +# Possible values: noauth, keystone auth_strategy={{ ironic_auth_strategy }} +# Return server tracebacks in the API response for any error +# responses. WARNING: this is insecure and should not be used +# in a production environment. (boolean value) +#debug_tracebacks_in_api=false + # Enable pecan debug mode. WARNING: this is insecure and # should not be used in a production environment. (boolean # value) @@ -112,10 +117,12 @@ enabled_drivers={{ ironic_driver_list }} # Options defined in ironic.common.service # -# Seconds between running periodic tasks. (integer value) +# Default interval (in seconds) for running driver periodic +# tasks. (integer value) +# This option is deprecated and planned for removal in a future release. #periodic_interval=60 -# Name of this node. This can be an opaque identifier. It is +# Name of this node. This can be an opaque identifier. It is # not necessarily a hostname, FQDN, or IP address. However, # the node name must be valid within an AMQP key, and if using # ZeroMQ, a valid hostname, FQDN, or IP address. (string @@ -159,12 +166,13 @@ host={{ ansible_hostname }} # Options defined in oslo.log # -# Print debugging output (set logging level to DEBUG instead -# of default INFO level). (boolean value) +# If set to true, the logging level will be set to DEBUG +# instead of the default INFO level. (boolean value) #debug=false -# If set to false, will disable INFO logging level, making -# WARNING the default. (boolean value) +# If set to false, the logging level will be set to WARNING +# instead of the default INFO level. (boolean value) +# This option is deprecated and planned for removal in a future release. #verbose=true # The name of a logging configuration file. This file is @@ -173,42 +181,35 @@ host={{ ansible_hostname }} # logging module documentation. Note that when logging # configuration files are used then all logging configuration # is set in the configuration file and other logging -# configuration options are ignored (for example, log_format). -# (string value) +# configuration options are ignored (for example, +# logging_context_format_string). (string value) # Deprecated group/name - [DEFAULT]/log_config #log_config_append= -# DEPRECATED. A logging.Formatter log message format string -# which may use any of the available logging.LogRecord -# attributes. This option is deprecated. Please use -# logging_context_format_string and -# logging_default_format_string instead. This option is -# ignored if log_config_append is set. (string value) -#log_format= - -# Format string for %%(asctime)s in log records. Default: -# %(default)s . This option is ignored if log_config_append is -# set. (string value) +# Defines the format string for %%(asctime)s in log records. +# Default: %(default)s . This option is ignored if +# log_config_append is set. (string value) #log_date_format=%Y-%m-%d %H:%M:%S -# (Optional) Name of log file to output to. If no default is -# set, logging will go to stdout. This option is ignored if -# log_config_append is set. (string value) +# (Optional) Name of log file to send logging output to. If no +# default is set, logging will go to stderr as defined by +# use_stderr. This option is ignored if log_config_append is +# set. (string value) # Deprecated group/name - [DEFAULT]/logfile #log_file= -# (Optional) The base directory used for relative --log-file +# (Optional) The base directory used for relative log_file # paths. This option is ignored if log_config_append is set. # (string value) # Deprecated group/name - [DEFAULT]/logdir #log_dir= -# (Optional) Uses logging handler designed to watch file -# system. When log file is moved or removed this handler will -# open a new log file with specified path instantaneously. It -# makes sense only if log-file option is specified and Linux -# platform is used. This option is ignored if -# log_config_append is set. (boolean value) +# Uses logging handler designed to watch file system. When log +# file is moved or removed this handler will open a new log +# file with specified path instantaneously. It makes sense +# only if log_file option is specified and Linux platform is +# used. This option is ignored if log_config_append is set. +# (boolean value) #watch_log_file=false # Use syslog for logging. Existing syslog format is DEPRECATED @@ -216,14 +217,6 @@ host={{ ansible_hostname }} # ignored if log_config_append is set. (boolean value) #use_syslog=false -# (Optional) Enables or disables syslog rfc5424 format for -# logging. If enabled, prefixes the MSG part of the syslog -# message with APP-NAME (RFC5424). The format without the APP- -# NAME is deprecated in Kilo, and will be removed in Mitaka, -# along with this option. This option is ignored if -# log_config_append is set. (boolean value) -#use_syslog_rfc_format=true - # Syslog facility to receive log lines. This option is ignored # if log_config_append is set. (string value) #syslog_log_facility=LOG_USER @@ -236,21 +229,25 @@ host={{ ansible_hostname }} # value) #logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s -# Format string to use for log messages without context. -# (string value) +# Format string to use for log messages when context is +# undefined. (string value) #logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s -# Data to append to log format when level is DEBUG. (string -# value) +# Additional data to append to log message when logging level +# for the message is DEBUG. (string value) #logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d # Prefix each line of exception output with this format. # (string value) #logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s -# List of logger=LEVEL pairs. This option is ignored if -# log_config_append is set. (list value) -#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN +# Defines the format string for %(user_identity)s that is used +# in logging_context_format_string. (string value) +#logging_user_identity_format=%(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This +# option is ignored if log_config_append is set. (list value) +#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO # Enables or disables publication of error events. (boolean # value) @@ -274,6 +271,7 @@ host={{ ansible_hostname }} # # Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size #rpc_conn_pool_size=30 # ZeroMQ bind address. Should be a wildcard (*), an ethernet @@ -282,12 +280,9 @@ host={{ ansible_hostname }} #rpc_zmq_bind_address=* # MatchMaker driver. (string value) +# Possible values: redis, dummy #rpc_zmq_matchmaker=redis -# Use REQ/REP pattern for all methods CALL/CAST/FANOUT. -# (boolean value) -#rpc_zmq_all_req_rep=true - # Type of concurrency used. Either "native" or "eventlet" # (string value) #rpc_zmq_concurrency=eventlet @@ -305,43 +300,44 @@ host={{ ansible_hostname }} # Name of this node. Must be a valid hostname, FQDN, or IP # address. Must match "host" option, if running Nova. (string # value) -#rpc_zmq_host=ironic +#rpc_zmq_host=localhost -# Seconds to wait before a cast expires (TTL). Only supported -# by impl_zmq. (integer value) -#rpc_cast_timeout=30 +# Seconds to wait before a cast expires (TTL). The default +# value of -1 specifies an infinite linger period. The value +# of 0 specifies no linger period. Pending messages shall be +# discarded immediately when the socket is closed. Only +# supported by impl_zmq. (integer value) +#rpc_cast_timeout=-1 # The default number of seconds that poll should wait. Poll # raises timeout exception when timeout expired. (integer # value) #rpc_poll_timeout=1 -# Shows whether zmq-messaging uses broker or not. (boolean -# value) -#zmq_use_broker=true +# Expiration timeout in seconds of a name service record about +# existing target ( < 0 means no timeout). (integer value) +#zmq_target_expire=120 -# Host to locate redis. (string value) -#host=127.0.0.1 +# Use PUB/SUB pattern for fanout methods. PUB/SUB always uses +# proxy. (boolean value) +#use_pub_sub=true -# Use this port to connect to redis host. (integer value) -#port=6379 +# Minimal port number for random ports range. (port value) +# Possible values: 0-65535 +#rpc_zmq_min_port=49152 -# Password for Redis server (optional). (string value) -#password= +# Maximal port number for random ports range. (integer value) +# Possible values: 1-65536 +#rpc_zmq_max_port=65536 + +# Number of retries to find free port number before fail with +# ZMQBindError. (integer value) +#rpc_zmq_bind_port_retries=100 # Size of executor thread pool. (integer value) # Deprecated group/name - [DEFAULT]/rpc_thread_pool_size #executor_thread_pool_size=64 -# The Drivers(s) to handle sending notifications. Possible -# values are messaging, messagingv2, routing, log, test, noop -# (multi valued) -#notification_driver= - -# AMQP topic used for OpenStack notifications. (list value) -# Deprecated group/name - [rpc_notifier2]/topics -#notification_topics=notifications - # Seconds to wait for a response from a call. (integer value) #rpc_response_timeout=60 @@ -351,7 +347,7 @@ host={{ ansible_hostname }} #transport_url= # The messaging driver to use, defaults to rabbit. Other -# drivers include qpid and zmq. (string value) +# drivers include amqp and zmq. (string value) #rpc_backend=rabbit # The default exchange under which topics are scoped. May be @@ -383,10 +379,21 @@ host={{ ansible_hostname }} # service's log file. (string value) #backdoor_port= +# Enable eventlet backdoor, using the provided path as a unix +# socket that can receive connections. This option is mutually +# exclusive with 'backdoor_port' in that only one should be +# provided. If both are provided then the existence of this +# option overrides the usage of that option. (string value) +#backdoor_socket= + # Enables or disables logging values of all registered options # when starting a service (at DEBUG level). (boolean value) #log_options=true +# Specify a timeout after which a gracefully shutdown server +# will exit. Zero value means endless wait. (integer value) +#graceful_shutdown_timeout=60 + [agent] @@ -418,6 +425,15 @@ host={{ ansible_hostname }} # memory consumed by the agent ramdisk image. (integer value) #memory_consumed_by_agent=0 +# Whether the agent ramdisk should stream raw images directly +# onto the disk or not. By streaming raw images directly onto +# the disk the agent ramdisk will not spend time copying the +# image to a tmpfs partition (therefore consuming less memory) +# prior to writing it to the disk. Unless the disk where the +# image will be copied to is really slow, this option should +# be set to True. Defaults to True. (boolean value) +#stream_raw_images=true + # # Options defined in ironic.drivers.modules.agent_base_vendor @@ -452,10 +468,19 @@ host={{ ansible_hostname }} # Options defined in ironic.drivers.modules.amt.common # -# Protocol used for AMT endpoint, support http/https (string -# value) +# Protocol used for AMT endpoint (string value) +# Possible values: http, https #protocol=http +# Time interval (in seconds) for successive awake call to AMT +# interface, this depends on the IdleTimeout setting on AMT +# interface. AMT Interface will go to sleep after 60 seconds +# of inactivity by default. IdleTimeout=0 means AMT will not +# go to sleep at all. Setting awake_interval=0 will disable +# awake call. (integer value) +# Minimum value: 0 +#awake_interval=60 + # # Options defined in ironic.drivers.modules.amt.power @@ -479,7 +504,8 @@ host={{ ansible_hostname }} # The IP address on which ironic-api listens. (string value) #host_ip=0.0.0.0 -# The TCP port on which ironic-api listens. (integer value) +# The TCP port on which ironic-api listens. (port value) +# Possible values: 0-65535 #port=6385 # The maximum number of items returned in a single response @@ -494,6 +520,20 @@ host={{ ansible_hostname }} # (string value) #public_endpoint= +# Number of workers for OpenStack Ironic API service. The +# default is equal to the number of CPUs available if that can +# be determined, else a default worker count of 1 is returned. +# (integer value) +#api_workers= + +# Enable the integrated stand-alone API to service requests +# via HTTPS instead of HTTP. If there is a front-end service +# performing HTTPS offloading from the service, this option +# should be False; note, you will want to change public API +# endpoint to represent SSL termination URL with +# 'public_endpoint' option. (boolean value) +#enable_ssl_api=false + [cimc] @@ -527,6 +567,20 @@ host={{ ansible_hostname }} [conductor] +# +# Options defined in ironic.conductor.base_manager +# + +# The size of the workers greenthread pool. Note that 2 +# threads will be reserved by the conductor itself for +# handling heart beats and periodic tasks. (integer value) +# Minimum value: 3 +#workers_pool_size=100 + +# Seconds between conductor heart beats. (integer value) +#heartbeat_interval=10 + + # # Options defined in ironic.conductor.manager # @@ -536,9 +590,6 @@ host={{ ansible_hostname }} # value) api_url={{ ironic_api_url }} -# Seconds between conductor heart beats. (integer value) -#heartbeat_interval=10 - # Maximum time (in seconds) since the last check-in of a # conductor. A conductor is considered inactive when this time # has been exceeded. (integer value) @@ -572,9 +623,6 @@ sync_power_state_interval={{ ironic_sync_power_state_interval }} # thread pool size. (integer value) #periodic_max_workers=8 -# The size of the workers greenthread pool. (integer value) -#workers_pool_size=100 - # Number of attempts to grab a node lock. (integer value) #node_locked_retry_attempts=3 @@ -613,11 +661,12 @@ sync_power_state_interval={{ ironic_sync_power_state_interval }} # unlimited. (integer value) #inspect_timeout=1800 -# Cleaning is a configurable set of steps, such as erasing -# disk drives, that are performed on the node to ensure it is -# in a baseline state and ready to be deployed to. This is -# done after instance deletion, and during the transition from -# a "managed" to "available" state. When enabled, the +# Enables or disables automated cleaning. Automated cleaning +# is a configurable set of steps, such as erasing disk drives, +# that are performed on the node to ensure it is in a baseline +# state and ready to be deployed to. This is done after +# instance deletion as well as during the transition from a +# "manageable" to "available" state. When enabled, the # particular steps performed to clean a node depend on which # driver that node is managed by; see the individual driver's # documentation for details. NOTE: The introduction of the @@ -625,7 +674,8 @@ sync_power_state_interval={{ ironic_sync_power_state_interval }} # significantly longer. In an environment where all tenants # are trusted (eg, because there is only one tenant), this # option could be safely disabled. (boolean value) -#clean_nodes=true +# Deprecated group/name - [conductor]/clean_nodes +#automated_clean=true # Timeout (seconds) to wait for a callback from the ramdisk # doing the cleaning. If the timeout is reached the node will @@ -667,7 +717,7 @@ sync_power_state_interval={{ ironic_sync_power_state_interval }} # # Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. (string value) +# received in the requests "origin" header. (list value) #allowed_origin= # Indicate that the actual request can include user @@ -698,7 +748,7 @@ sync_power_state_interval={{ ironic_sync_power_state_interval }} # # Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. (string value) +# received in the requests "origin" header. (list value) #allowed_origin= # Indicate that the actual request can include user @@ -737,9 +787,11 @@ sync_power_state_interval={{ ironic_sync_power_state_interval }} # # The file name to use with SQLite. (string value) +# Deprecated group/name - [DEFAULT]/sqlite_db #sqlite_db=oslo.sqlite # If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group/name - [DEFAULT]/sqlite_synchronous #sqlite_synchronous=true # The back end to use for the database. (string value) @@ -800,7 +852,7 @@ connection={{ ironic_db_connection_string }} # (integer value) # Deprecated group/name - [DEFAULT]/sql_max_overflow # Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow -#max_overflow= +#max_overflow=50 # Verbosity of SQL debugging information: 0=None, # 100=Everything. (integer value) @@ -846,23 +898,13 @@ connection={{ ironic_db_connection_string }} # Options defined in ironic.drivers.modules.deploy_utils # -# Size of EFI system partition in MiB when configuring UEFI -# systems for local boot. (integer value) -#efi_system_partition_size=200 - -# Block size to use when writing to the nodes disk. (string -# value) -#dd_block_size=1M - -# Maximum attempts to verify an iSCSI connection is active, -# sleeping 1 second between attempts. (integer value) -#iscsi_verify_attempts=3 - # ironic-conductor node's HTTP server URL. Example: # http://192.1.2.3:8080 (string value) +# Deprecated group/name - [pxe]/http_url #http_url= # ironic-conductor node's HTTP root path. (string value) +# Deprecated group/name - [pxe]/http_root #http_root=/httpboot # Priority to run in-band erase devices via the Ironic Python @@ -892,7 +934,7 @@ dhcp_provider={{ ironic_dhcp_provider }} [disk_partitioner] # -# Options defined in ironic.common.disk_partitioner +# Options defined in ironic_lib.disk_partitioner # # After Ironic has completed creating the partition table, it @@ -908,21 +950,26 @@ dhcp_provider={{ ironic_dhcp_provider }} #check_device_max_retries=20 -[drac] +[disk_utils] # -# Options defined in ironic.drivers.modules.drac.client +# Options defined in ironic_lib.disk_utils # -# In case there is a communication failure, the DRAC client -# resends the request as many times as defined in this -# setting. (integer value) -#client_retry_count=5 +# Size of EFI system partition in MiB when configuring UEFI +# systems for local boot. (integer value) +# Deprecated group/name - [deploy]/efi_system_partition_size +#efi_system_partition_size=200 -# In case there is a communication failure, the DRAC client -# waits for as many seconds as defined in this setting before -# resending the request. (integer value) -#client_retry_delay=5 +# Block size to use when writing to the nodes disk. (string +# value) +# Deprecated group/name - [deploy]/dd_block_size +#dd_block_size=1M + +# Maximum attempts to verify an iSCSI connection is active, +# sleeping 1 second between attempts. (integer value) +# Deprecated group/name - [deploy]/iscsi_verify_attempts +#iscsi_verify_attempts=3 [glance] @@ -943,15 +990,35 @@ dhcp_provider={{ ironic_dhcp_provider }} # The length of time in seconds that the temporary URL will be # valid for. Defaults to 20 minutes. If some deploys get a 401 # response code when trying to download from the temporary -# URL, try raising this duration. (integer value) +# URL, try raising this duration. This value must be greater +# than or equal to the value for +# swift_temp_url_expected_download_start_delay (integer value) #swift_temp_url_duration=1200 +# Whether to cache generated Swift temporary URLs. Setting it +# to true is only useful when an image caching proxy is used. +# Defaults to False. (boolean value) +#swift_temp_url_cache_enabled=false + +# This is the delay (in seconds) from the time of the deploy +# request (when the Swift temporary URL is generated) to when +# the IPA ramdisk starts up and URL is used for the image +# download. This value is used to check if the Swift temporary +# URL duration is large enough to let the image download +# begin. Also if temporary URL caching is enabled this will +# determine if a cached entry will still be valid when the +# download starts. swift_temp_url_duration value must be +# greater than or equal to this option's value. Defaults to 0. +# (integer value) +# Minimum value: 0 +#swift_temp_url_expected_download_start_delay=0 + # The "endpoint" (scheme, hostname, optional port) for the # Swift URL of the form # "endpoint_url/api_version/[account/]container/object_id". Do # not include trailing "/". For example, use -# "https://swift.example.com". In case of using RADOS Gateway, -# endpoint may also contain /swift path, if it does not, it +# "https://swift.example.com". If using RADOS Gateway, +# endpoint may also contain /swift path; if it does not, it # will be appended. Required for temporary URLs. (string # value) #swift_endpoint_url= @@ -988,9 +1055,10 @@ dhcp_provider={{ ironic_dhcp_provider }} # value) #swift_store_multiple_containers_seed=0 -# Type of the endpoint to use for temporary URLs. It depends -# on an actual Glance backend used. Possible values are -# "swift" and "radosgw". (string value) +# Type of endpoint to use for temporary URLs. If the Glance +# backend is Swift, use "swift"; if it is CEPH with RADOS +# gateway, use "radosgw". (string value) +# Possible values: swift, radosgw #temp_url_endpoint_type=swift @@ -999,13 +1067,19 @@ dhcp_provider={{ ironic_dhcp_provider }} # # Default glance hostname or IP address. (string value) -glance_host={{ internal_lb_vip_address }} +{% if ironic_glance_host is defined %} +glance_host={{ ironic_glance_host }} +{% else %} +#glance_host=$my_ip +{% endif %} -# Default glance port. (integer value) +# Default glance port. (port value) +# Possible values: 0-65535 #glance_port=9292 # Default protocol to use when connecting to glance. Set to # https for SSL. (string value) +# Possible values: http, https #glance_protocol=http # A list of the glance api servers available to ironic. Prefix @@ -1022,9 +1096,14 @@ glance_host={{ internal_lb_vip_address }} #glance_num_retries=0 # Authentication strategy to use when connecting to glance. -# Only "keystone" and "noauth" are currently supported by -# ironic. (string value) -auth_strategy={{ ironic_auth_strategy }} +# (string value) +# Possible values: keystone, noauth +auth_strategy={{ ironic_glance_auth_strategy }} + +# Optional path to a CA certificate bundle to be used to +# validate the SSL certificate served by glance. It is used +# when glance_api_insecure is set to False. (string value) +#glance_cafile= [iboot] @@ -1042,6 +1121,7 @@ auth_strategy={{ ironic_auth_strategy }} # Time (in seconds) to sleep between when rebooting (powering # off and on again). (integer value) +# Minimum value: 0 #reboot_delay=5 @@ -1054,7 +1134,8 @@ auth_strategy={{ ironic_auth_strategy }} # Timeout (in seconds) for iLO operations (integer value) #client_timeout=60 -# Port to be used for iLO operations (integer value) +# Port to be used for iLO operations (port value) +# Possible values: 0-65535 #client_port=443 # The Swift iLO container to store data. (string value) @@ -1088,7 +1169,7 @@ auth_strategy={{ ironic_auth_strategy }} # # Priority for reset_ilo clean step. (integer value) -#clean_priority_reset_ilo=1 +#clean_priority_reset_ilo=0 # Priority for reset_bios_to_default clean step. (integer # value) @@ -1100,7 +1181,7 @@ auth_strategy={{ ironic_auth_strategy }} #clean_priority_reset_secure_boot_keys_to_default=20 # Priority for clear_secure_boot_keys clean step. This step is -# not enabled by default. It can be enabled to to clear all +# not enabled by default. It can be enabled to clear all # secure boot keys enrolled with iLO. (integer value) #clean_priority_clear_secure_boot_keys=0 @@ -1131,15 +1212,18 @@ auth_strategy={{ ironic_auth_strategy }} # whether to enable inspection using ironic-inspector (boolean # value) +# Deprecated group/name - [discoverd]/enabled #enabled=false # ironic-inspector HTTP endpoint. If this is not set, the # ironic-inspector client default (http://127.0.0.1:5050) will # be used. (string value) +# Deprecated group/name - [discoverd]/service_url #service_url= # period (in seconds) to check status of nodes on inspection # (integer value) +# Deprecated group/name - [discoverd]/status_check_period #status_check_period=60 @@ -1167,27 +1251,7 @@ auth_strategy={{ ironic_auth_strategy }} [irmc] # -# Options defined in ironic.drivers.modules.irmc.common -# - -# Port to be used for iRMC operations, either 80 or 443 -# (integer value) -#port=443 - -# Authentication method to be used for iRMC operations, either -# "basic" or "digest" (string value) -#auth_method=basic - -# Timeout (in seconds) for iRMC operations (integer value) -#client_timeout=60 - -# Sensor data retrieval method, either "ipmitool" or "scci" -# (string value) -#sensor_method=ipmitool - - -# -# Options defined in ironic.drivers.modules.irmc.deploy +# Options defined in ironic.drivers.modules.irmc.boot # # Ironic conductor node's "NFS" or "CIFS" root path (string @@ -1197,8 +1261,8 @@ auth_strategy={{ ironic_auth_strategy }} # IP of remote image server (string value) #remote_image_server= -# Share type of virtual media, either "NFS" or "CIFS" (string -# value) +# Share type of virtual media (string value) +# Possible values: CIFS, NFS #remote_image_share_type=CIFS # share name of remote_image_server (string value) @@ -1214,6 +1278,54 @@ auth_strategy={{ ironic_auth_strategy }} #remote_image_user_domain= +# +# Options defined in ironic.drivers.modules.irmc.common +# + +# Port to be used for iRMC operations (port value) +# Possible values: 443, 80 +#port=443 + +# Authentication method to be used for iRMC operations (string +# value) +# Possible values: basic, digest +#auth_method=basic + +# Timeout (in seconds) for iRMC operations (integer value) +#client_timeout=60 + +# Sensor data retrieval method. (string value) +# Possible values: ipmitool, scci +#sensor_method=ipmitool + +# SNMP protocol version (string value) +# Possible values: v1, v2c, v3 +#snmp_version=v2c + +# SNMP port (port value) +# Possible values: 0-65535 +#snmp_port=161 + +# SNMP community. Required for versions "v1" and "v2c" (string +# value) +#snmp_community=public + +# SNMP security name. Required for version "v3" (string value) +#snmp_security= + + +[ironic_lib] + +# +# Options defined in ironic_lib.utils +# + +# Command that is prefixed to commands that are run as root. +# If not specified, no commands are run as root. (string +# value) +#root_helper=sudo ironic-rootwrap /etc/ironic/rootwrap.conf + + [keystone] # @@ -1226,6 +1338,12 @@ auth_strategy={{ ironic_auth_strategy }} [keystone_authtoken] +auth_url = {{ keystone_service_adminurl }} +project_domain_id = {{ ironic_service_project_domain_id }} +user_domain_id = {{ ironic_service_user_domain_id }} +project_name = {{ ironic_service_project_name }} +username = {{ ironic_service_user_name }} +password = {{ ironic_service_password }} # # Options defined in keystonemiddleware.auth_token @@ -1236,7 +1354,7 @@ auth_uri={{ keystone_service_internaluri }} # API version of the admin Identity API endpoint. (string # value) -#auth_version= +auth_version={% if keystone_service_adminurl.endswith('v3') %}3{% else %}2.0{% endif %} # Do not handle authorization requests within the middleware, # but delegate the authorization decision to downstream WSGI @@ -1267,7 +1385,7 @@ auth_uri={{ keystone_service_internaluri }} #cafile= # Verify HTTPS connections. (boolean value) -#insecure=false +insecure={{ keystone_service_adminuri_insecure }} # The region in which the identity server can be found. # (string value) @@ -1280,8 +1398,8 @@ auth_uri={{ keystone_service_internaluri }} # Optionally specify a list of memcached server(s) to use for # caching. If left undefined, tokens will instead be cached # in-process. (list value) -# Deprecated group/name - [DEFAULT]/memcache_servers -#memcached_servers= +# Deprecated group/name - [keystone_authtoken]/memcache_servers +memcached_servers={{ memcached_servers }} # In order to prevent excessive effort spent validating # tokens, the middleware caches previously-seen tokens for a @@ -1297,18 +1415,18 @@ auth_uri={{ keystone_service_internaluri }} #revocation_cache_time=10 # (Optional) If defined, indicate whether token data should be -# authenticated or authenticated and encrypted. Acceptable -# values are MAC or ENCRYPT. If MAC, token data is -# authenticated (with HMAC) in the cache. If ENCRYPT, token -# data is encrypted and authenticated in the cache. If the -# value is not one of these options or empty, auth_token will -# raise an exception on initialization. (string value) -#memcache_security_strategy= +# authenticated or authenticated and encrypted. If MAC, token +# data is authenticated (with HMAC) in the cache. If ENCRYPT, +# token data is encrypted and authenticated in the cache. If +# the value is not one of these options or empty, auth_token +# will raise an exception on initialization. (string value) +# Possible values: None, MAC, ENCRYPT +memcache_security_strategy=ENCRYPT # (Optional, mandatory if memcache_security_strategy is # defined) This string is used for key derivation. (string # value) -#memcache_secret_key= +memcache_secret_key={{ memcached_encryption_key }} # (Optional) Number of seconds memcached server is considered # dead before it is tried again. (integer value) @@ -1370,43 +1488,13 @@ auth_uri={{ keystone_service_internaluri }} # (list value) #hash_algorithms=md5 -# Prefix to prepend at the beginning of the path. Deprecated, -# use identity_uri. (string value) -#auth_admin_prefix= +# Authentication type to load (type of value is unknown) +# Deprecated group/name - [keystone_authtoken]/auth_plugin +auth_type=password -# Host providing the admin Identity API endpoint. Deprecated, -# use identity_uri. (string value) -#auth_host=127.0.0.1 - -# Port of the admin Identity API endpoint. Deprecated, use -# identity_uri. (integer value) -#auth_port=35357 - -# Protocol of the admin Identity API endpoint (http or https). -# Deprecated, use identity_uri. (string value) -#auth_protocol=https - -# Complete admin Identity API endpoint. This should specify -# the unversioned root endpoint e.g. https://localhost:35357/ -# (string value) -identity_uri={{ keystone_service_internaluri }} - -# This option is deprecated and may be removed in a future -# release. Single shared secret with the Keystone -# configuration used for bootstrapping a Keystone -# installation, or otherwise bypassing the normal -# authentication process. This option should not be used, use -# `admin_user` and `admin_password` instead. (string value) -#admin_token= - -# Service username. (string value) -admin_user={{ ironic_service_user_name }} - -# Service user password. (string value) -admin_password={{ ironic_service_password }} - -# Service tenant name. (string value) -admin_tenant_name={{ ironic_service_project_name }} +# Config Section from which to load plugin specific options +# (type of value is unknown) +#auth_section= [matchmaker_redis] @@ -1418,12 +1506,31 @@ admin_tenant_name={{ ironic_service_project_name }} # Host to locate redis. (string value) #host=127.0.0.1 -# Use this port to connect to redis host. (integer value) +# Use this port to connect to redis host. (port value) +# Possible values: 0-65535 #port=6379 # Password for Redis server (optional). (string value) #password= +# List of Redis Sentinel hosts (fault tolerance mode) e.g. +# [host:port, host1:port ... ] (list value) +#sentinel_hosts= + +# Redis replica set name. (string value) +#sentinel_group_name=oslo-messaging-zeromq + +# Time in ms to wait between connection attempts. (integer +# value) +#wait_timeout=500 + +# Time in ms to wait before the transaction is killed. +# (integer value) +#check_timeout=20000 + +# Timeout in ms on blocking socket operations (integer value) +#socket_timeout=1000 + [neutron] @@ -1432,7 +1539,11 @@ admin_tenant_name={{ ironic_service_project_name }} # # URL for connecting to neutron. (string value) +{% if neutron_service_adminuri is defined %} url={{ neutron_service_adminurl }} +{% else %} +#url= +{% endif %} # Timeout value for connecting to neutron in seconds. (integer # value) @@ -1443,15 +1554,14 @@ url={{ neutron_service_adminurl }} #retries=3 # Default authentication strategy to use when connecting to -# neutron. Can be either "keystone" or "noauth". Running -# neutron in noauth mode (related to but not affected by this -# setting) is insecure and should only be used for testing. -# (string value) -auth_strategy={{ ironic_auth_strategy }} +# neutron. Running neutron in noauth mode (related to but not +# affected by this setting) is insecure and should only be +# used for testing. (string value) +# Possible values: keystone, noauth +auth_strategy={{ ironic_neutron_auth_strategy }} -# UUID of the network to create Neutron ports on when booting -# to a ramdisk for cleaning/zapping using Neutron DHCP (string -# value) +# UUID of the network to create Neutron ports on, when booting +# to a ramdisk for cleaning using Neutron DHCP. (string value) #cleaning_network_uuid= @@ -1489,6 +1599,7 @@ auth_strategy={{ ironic_auth_strategy }} # # Enables or disables inter-process locks. (boolean value) +# Deprecated group/name - [DEFAULT]/disable_process_locking #disable_process_locking=false # Directory to use for lock files. For security, the @@ -1496,6 +1607,7 @@ auth_strategy={{ ironic_auth_strategy }} # running the processes that need locking. Defaults to # environment variable OSLO_LOCK_PATH. If external locks are # used, a lock path must be set. (string value) +# Deprecated group/name - [DEFAULT]/lock_path #lock_path= @@ -1507,130 +1619,102 @@ auth_strategy={{ ironic_auth_strategy }} # address prefix used when sending to a specific server # (string value) +# Deprecated group/name - [amqp1]/server_request_prefix #server_request_prefix=exclusive # address prefix used when broadcasting to all servers (string # value) +# Deprecated group/name - [amqp1]/broadcast_prefix #broadcast_prefix=broadcast # address prefix when sending to any server in group (string # value) +# Deprecated group/name - [amqp1]/group_request_prefix #group_request_prefix=unicast # Name for the AMQP container (string value) +# Deprecated group/name - [amqp1]/container_name #container_name= # Timeout for inactive connections (in seconds) (integer # value) +# Deprecated group/name - [amqp1]/idle_timeout #idle_timeout=0 # Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group/name - [amqp1]/trace #trace=false # CA certificate PEM file to verify server certificate (string # value) +# Deprecated group/name - [amqp1]/ssl_ca_file #ssl_ca_file= # Identifying certificate PEM file to present to clients # (string value) +# Deprecated group/name - [amqp1]/ssl_cert_file #ssl_cert_file= # Private key PEM file used to sign cert_file certificate # (string value) +# Deprecated group/name - [amqp1]/ssl_key_file #ssl_key_file= # Password for decrypting ssl_key_file (if encrypted) (string # value) +# Deprecated group/name - [amqp1]/ssl_key_password #ssl_key_password= # Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group/name - [amqp1]/allow_insecure_clients #allow_insecure_clients=false # Space separated list of acceptable SASL mechanisms (string # value) +# Deprecated group/name - [amqp1]/sasl_mechanisms #sasl_mechanisms= # Path to directory that contains the SASL configuration # (string value) +# Deprecated group/name - [amqp1]/sasl_config_dir #sasl_config_dir= # Name of configuration file (without .conf suffix) (string # value) +# Deprecated group/name - [amqp1]/sasl_config_name #sasl_config_name= # User name for message broker authentication (string value) +# Deprecated group/name - [amqp1]/username #username= # Password for message broker authentication (string value) +# Deprecated group/name - [amqp1]/password #password= -[oslo_messaging_qpid] +[oslo_messaging_notifications] # # Options defined in oslo.messaging # -# Use durable queues in AMQP. (boolean value) -# Deprecated group/name - [DEFAULT]/amqp_durable_queues -# Deprecated group/name - [DEFAULT]/rabbit_durable_queues -#amqp_durable_queues=false +# The Drivers(s) to handle sending notifications. Possible +# values are messaging, messagingv2, routing, log, test, noop +# (multi valued) +# Deprecated group/name - [DEFAULT]/notification_driver +#driver= -# Auto-delete queues in AMQP. (boolean value) -#amqp_auto_delete=false +# A URL representing the messaging driver to use for +# notifications. If not set, we fall back to the same +# configuration used for RPC. (string value) +# Deprecated group/name - [DEFAULT]/notification_transport_url +#transport_url= -# Send a single AMQP reply to call message. The current -# behaviour since oslo-incubator is to send two AMQP replies - -# first one with the payload, a second one to ensure the other -# have finish to send the payload. We are going to remove it -# in the N release, but we must keep backward compatible at -# the same time. This option provides such compatibility - it -# defaults to False in Liberty and can be turned on for early -# adopters with a new installations or for testing. Please -# note, that this option will be removed in the Mitaka -# release. (boolean value) -#send_single_reply=false - -# Qpid broker hostname. (string value) -#qpid_hostname=localhost - -# Qpid broker port. (integer value) -#qpid_port=5672 - -# Qpid HA cluster host:port pairs. (list value) -#qpid_hosts=$qpid_hostname:$qpid_port - -# Username for Qpid connection. (string value) -#qpid_username= - -# Password for Qpid connection. (string value) -#qpid_password= - -# Space separated list of SASL mechanisms to use for auth. -# (string value) -#qpid_sasl_mechanisms= - -# Seconds between connection keepalive heartbeats. (integer -# value) -#qpid_heartbeat=60 - -# Transport to use, either 'tcp' or 'ssl'. (string value) -#qpid_protocol=tcp - -# Whether to disable the Nagle algorithm. (boolean value) -#qpid_tcp_nodelay=true - -# The number of prefetched messages held by receiver. (integer -# value) -#qpid_receiver_capacity=1 - -# The qpid topology version to use. Version 1 is what was -# originally used by impl_qpid. Version 2 includes some -# backwards-incompatible changes that allow broker federation -# to work. Users should update to version 2 when they are -# able to take everything down, as it requires a clean break. -# (integer value) -#qpid_topology_version=1 +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +# Deprecated group/name - [DEFAULT]/notification_topics +#topics=notifications [oslo_messaging_rabbit] @@ -1645,68 +1729,84 @@ auth_strategy={{ ironic_auth_strategy }} #amqp_durable_queues=false # Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete #amqp_auto_delete=false -# Send a single AMQP reply to call message. The current -# behaviour since oslo-incubator is to send two AMQP replies - -# first one with the payload, a second one to ensure the other -# have finish to send the payload. We are going to remove it -# in the N release, but we must keep backward compatible at -# the same time. This option provides such compatibility - it -# defaults to False in Liberty and can be turned on for early -# adopters with a new installations or for testing. Please -# note, that this option will be removed in the Mitaka -# release. (boolean value) -#send_single_reply=false - # SSL version to use (valid only if SSL enabled). Valid values # are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may # be available on some distributions. (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_version #kombu_ssl_version= # SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile #kombu_ssl_keyfile= # SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile #kombu_ssl_certfile= # SSL certification authority file (valid only if SSL # enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs #kombu_ssl_ca_certs= # How long to wait before reconnecting in response to an AMQP # consumer cancel notification. (floating point value) +# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay #kombu_reconnect_delay=1.0 -# How long to wait before considering a reconnect attempt to -# have failed. This value should not be longer than +# EXPERIMENTAL: Possible values are: gzip, bz2. If not set +# compression will not be used. This option may notbe +# available in future versions. (string value) +#kombu_compression= + +# How long to wait a missing client beforce abandoning to send +# it its replies. This value should not be longer than # rpc_response_timeout. (integer value) -#kombu_reconnect_timeout=60 +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout +#kombu_missing_consumer_retry_timeout=60 + +# Determines how the next RabbitMQ node is chosen in case the +# one we are currently connected to becomes unavailable. Takes +# effect only if more than one RabbitMQ node is provided in +# config. (string value) +# Possible values: round-robin, shuffle +#kombu_failover_strategy=round-robin # The RabbitMQ broker address where a single node is used. # (string value) +# Deprecated group/name - [DEFAULT]/rabbit_host #rabbit_host=localhost -# The RabbitMQ broker port where a single node is used. -# (integer value) -rabbit_port={{ rabbitmq_port }} +# The RabbitMQ broker port where a single node is used. (port +# value) +# Possible values: 0-65535 +# Deprecated group/name - [DEFAULT]/rabbit_port +#rabbit_port=5672 # RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/rabbit_hosts rabbit_hosts={{ rabbitmq_servers }} # Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_use_ssl rabbit_use_ssl={{ rabbitmq_use_ssl }} # The RabbitMQ userid. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_userid rabbit_userid={{ ironic_rabbitmq_userid }} # The RabbitMQ password. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_password rabbit_password={{ ironic_rabbitmq_password }} # The RabbitMQ login method. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_login_method #rabbit_login_method=AMQPLAIN # The RabbitMQ virtual host. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_virtual_host rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # How frequently to retry connecting with RabbitMQ. (integer @@ -1715,17 +1815,40 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # How long to backoff for between retries when connecting to # RabbitMQ. (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff #rabbit_retry_backoff=2 +# Maximum interval of RabbitMQ connection retries. Default is +# 30 seconds. (integer value) +#rabbit_interval_max=30 + # Maximum number of RabbitMQ connection retries. Default is 0 # (infinite retry count). (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_max_retries #rabbit_max_retries=0 -# Use HA queues in RabbitMQ (x-ha-policy: all). If you change -# this option, you must wipe the RabbitMQ database. (boolean -# value) +# Try to use HA queues in RabbitMQ (x-ha-policy: all). If you +# change this option, you must wipe the RabbitMQ database. In +# RabbitMQ 3.0, queue mirroring is no longer controlled by the +# x-ha-policy argument when declaring a queue. If you just +# want to make sure that all queues (except those with auto- +# generated names) are mirrored across all nodes, run: +# "rabbitmqctl set_policy HA '^(?!amq\.).*' '{"ha-mode": +# "all"}' " (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_ha_queues #rabbit_ha_queues=false +# Positive integer representing duration in seconds for queue +# TTL (x-expires). Queues which are unused for the duration of +# the TTL are automatically deleted. The parameter affects +# only reply and fanout queues. (integer value) +# Minimum value: 1 +#rabbit_transient_queues_ttl=1800 + +# Specifies the number of messages to prefetch. Setting to +# zero allows unlimited messages. (integer value) +#rabbit_qos_prefetch_count=0 + # Number of seconds after which the Rabbit broker is # considered down if heartbeat's keep-alive fails (0 disable # the heartbeat). EXPERIMENTAL (integer value) @@ -1737,8 +1860,115 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake # (boolean value) +# Deprecated group/name - [DEFAULT]/fake_rabbit #fake_rabbit=false +# Maximum number of channels to allow (integer value) +#channel_max= + +# The maximum byte size for an AMQP frame (integer value) +#frame_max= + +# How often to send heartbeats for consumer's connections +# (integer value) +#heartbeat_interval=1 + +# Enable SSL (boolean value) +#ssl= + +# Arguments passed to ssl.wrap_socket (dict value) +#ssl_options= + +# Set socket timeout in seconds for connection's socket +# (floating point value) +#socket_timeout=0.25 + +# Set TCP_USER_TIMEOUT in seconds for connection's socket +# (floating point value) +#tcp_user_timeout=0.25 + +# Set delay for reconnection to some host which has connection +# error (floating point value) +#host_connection_reconnect_delay=0.25 + +# Maximum number of connections to keep queued. (integer +# value) +#pool_max_size=10 + +# Maximum number of connections to create above +# `pool_max_size`. (integer value) +#pool_max_overflow=0 + +# Default number of seconds to wait for a connections to +# available (integer value) +#pool_timeout=30 + +# Lifetime of a connection (since creation) in seconds or None +# for no recycling. Expired connections are closed on acquire. +# (integer value) +#pool_recycle=600 + +# Threshold at which inactive (since release) connections are +# considered stale in seconds or None for no staleness. Stale +# connections are closed on acquire. (integer value) +#pool_stale=60 + +# Persist notification messages. (boolean value) +#notification_persistence=false + +# Exchange name for for sending notifications (string value) +#default_notification_exchange=${control_exchange}_notification + +# Max number of not acknowledged message which RabbitMQ can +# send to notification listener. (integer value) +#notification_listener_prefetch_count=100 + +# Reconnecting retry count in case of connectivity problem +# during sending notification, -1 means infinite retry. +# (integer value) +#default_notification_retry_attempts=-1 + +# Reconnecting retry delay in case of connectivity problem +# during sending notification message (floating point value) +#notification_retry_delay=0.25 + +# Time to live for rpc queues without consumers in seconds. +# (integer value) +#rpc_queue_expiration=60 + +# Exchange name for sending RPC messages (string value) +#default_rpc_exchange=${control_exchange}_rpc + +# Exchange name for receiving RPC replies (string value) +#rpc_reply_exchange=${control_exchange}_rpc_reply + +# Max number of not acknowledged message which RabbitMQ can +# send to rpc listener. (integer value) +#rpc_listener_prefetch_count=100 + +# Max number of not acknowledged message which RabbitMQ can +# send to rpc reply listener. (integer value) +#rpc_reply_listener_prefetch_count=100 + +# Reconnecting retry count in case of connectivity problem +# during sending reply. -1 means infinite retry during +# rpc_timeout (integer value) +#rpc_reply_retry_attempts=-1 + +# Reconnecting retry delay in case of connectivity problem +# during sending reply. (floating point value) +#rpc_reply_retry_delay=0.25 + +# Reconnecting retry count in case of connectivity problem +# during sending RPC message, -1 means infinite retry. If +# actual retry attempts in not 0 the rpc request could be +# processed more then one time (integer value) +#default_rpc_retry_attempts=-1 + +# Reconnecting retry delay in case of connectivity problem +# during sending RPC message (floating point value) +#rpc_retry_delay=0.25 + [oslo_policy] @@ -1747,10 +1977,12 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # # The JSON file that defines policies. (string value) +# Deprecated group/name - [DEFAULT]/policy_file #policy_file=policy.json # Default rule. Enforced when a requested rule is not found. # (string value) +# Deprecated group/name - [DEFAULT]/policy_default_rule #policy_default_rule=default # Directories where policy configuration files are stored. @@ -1759,6 +1991,7 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # file defined by policy_file must exist for these directories # to be searched. Missing or empty directories are ignored. # (multi valued) +# Deprecated group/name - [DEFAULT]/policy_dirs #policy_dirs=policy.d @@ -1781,7 +2014,8 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} #images_path=/var/lib/ironic/images/ # On the ironic-conductor node, directory where master -# instance images are stored on disk. (string value) +# instance images are stored on disk. Setting to +# disables image caching. (string value) #instance_master_path=/var/lib/ironic/master_images # Maximum size (in MiB) of cache for master images, including @@ -1818,7 +2052,8 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} #tftp_root=/tftpboot # On ironic-conductor node, directory where master TFTP images -# are stored on disk. (string value) +# are stored on disk. Setting to disables image +# caching. (string value) #tftp_master_path=/tftpboot/master_images # Bootfile DHCP parameter. (string value) @@ -1834,8 +2069,13 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # file. (string value) #ipxe_boot_script=$pybasedir/drivers/modules/boot.ipxe -# The IP version that will be used for PXE booting. Can be -# either 4 or 6. Defaults to 4. EXPERIMENTAL (string value) +# Timeout value (in seconds) for downloading an image via +# iPXE. Defaults to 0 (no timeout) (integer value) +#ipxe_timeout=0 + +# The IP version that will be used for PXE booting. Defaults +# to 4. EXPERIMENTAL (string value) +# Possible values: 4, 6 #ip_version=4 @@ -1865,6 +2105,7 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # Time (in seconds) to sleep between when rebooting (powering # off and on again) (integer value) +# Minimum value: 0 #reboot_delay=0 @@ -1887,6 +2128,37 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} #get_vm_name_retry_interval=3 +[ssl] + +# +# Options defined in oslo.service.sslutils +# + +# CA certificate file to use to verify connecting clients. +# (string value) +# Deprecated group/name - [DEFAULT]/ssl_ca_file +#ca_file= + +# Certificate file to use when starting the server securely. +# (string value) +# Deprecated group/name - [DEFAULT]/ssl_cert_file +#cert_file= + +# Private key file to use when starting the server securely. +# (string value) +# Deprecated group/name - [DEFAULT]/ssl_key_file +#key_file= + +# SSL version to use (valid only if SSL enabled). Valid values +# are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may +# be available on some distributions. (string value) +#version= + +# Sets the list of available ciphers. value should be a string +# in the OpenSSL cipher list format. (string value) +#ciphers= + + [swift] # @@ -1904,8 +2176,9 @@ rabbit_virtual_host={{ ironic_rabbitmq_vhost }} # Options defined in ironic.drivers.modules.virtualbox # -# Port on which VirtualBox web service is listening. (integer +# Port on which VirtualBox web service is listening. (port # value) +# Possible values: 0-65535 #port=18083 diff --git a/templates/rootwrap.conf.j2 b/templates/rootwrap.conf.j2 new file mode 100644 index 00000000..061c4cd8 --- /dev/null +++ b/templates/rootwrap.conf.j2 @@ -0,0 +1,27 @@ +# Configuration for ironic-rootwrap +# This file should be owned by (and only-writeable by) the root user + +[DEFAULT] +# List of directories to load filter definitions from (separated by ','). +# These directories MUST all be only writeable by root ! +filters_path=/etc/ironic/rootwrap.d,/usr/share/ironic/rootwrap + +# List of directories to search executables in, in case filters do not +# explicitely specify a full path (separated by ',') +# If not specified, defaults to system PATH environment variable. +# These directories MUST all be only writeable by root ! +exec_dirs={{ ironic_bin }},/sbin,/usr/sbin,/bin,/usr/bin + +# Enable logging to syslog +# Default value is False +use_syslog=False + +# Which syslog facility to use. +# Valid values include auth, authpriv, syslog, user0, user1... +# Default value is 'syslog' +syslog_log_facility=syslog + +# Which messages to log. +# INFO means log all usage +# ERROR means only log unsuccessful attempts +syslog_log_level=ERROR diff --git a/tests/ansible-role-requirements.yml b/tests/ansible-role-requirements.yml index 17e6449a..3f188ee7 100644 --- a/tests/ansible-role-requirements.yml +++ b/tests/ansible-role-requirements.yml @@ -1,8 +1,52 @@ -- name: galera_client - src: https://git.openstack.org/openstack/openstack-ansible-galera_client +- name: apt_package_pinning + src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning scm: git version: master - name: pip_install src: https://git.openstack.org/openstack/openstack-ansible-pip_install scm: git version: master +- name: pip_lock_down + src: https://git.openstack.org/openstack/openstack-ansible-pip_lock_down + scm: git + version: master +- name: memcached_server + src: https://git.openstack.org/openstack/openstack-ansible-memcached_server + scm: git + version: master +- name: py_from_git + src: https://git.openstack.org/openstack/openstack-ansible-py_from_git + scm: git + version: master +- name: lxc_hosts + src: https://git.openstack.org/openstack/openstack-ansible-lxc_hosts + scm: git + version: master +- name: lxc_container_create + src: https://git.openstack.org/openstack/openstack-ansible-lxc_container_create + scm: git + version: master +- name: openstack_hosts + src: https://git.openstack.org/openstack/openstack-ansible-openstack_hosts + scm: git + version: master +- name: galera_client + src: https://git.openstack.org/openstack/openstack-ansible-galera_client + scm: git + version: master +- name: galera_server + src: https://git.openstack.org/openstack/openstack-ansible-galera_server + scm: git + version: master +- name: rabbitmq_server + src: https://git.openstack.org/openstack/openstack-ansible-rabbitmq_server + scm: git + version: master +- name: os_keystone + src: https://git.openstack.org/openstack/openstack-ansible-os_keystone + scm: git + version: master +- name: openstack_openrc + src: https://git.openstack.org/openstack/openstack-ansible-openstack_openrc + scm: git + version: master diff --git a/tests/group_vars/all_containers.yml b/tests/group_vars/all_containers.yml new file mode 100644 index 00000000..4cc97942 --- /dev/null +++ b/tests/group_vars/all_containers.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ansible_ssh_host: "{{ ansible_host }}" +container_name: "{{ inventory_hostname }}" +container_networks: + management_address: + address: "{{ ansible_host }}" + bridge: "lxcbr0" + interface: "eth1" + netmask: "255.255.252.0" + type: "veth" +physical_host: localhost +properties: + service_name: "{{ inventory_hostname }}" diff --git a/tests/group_vars/ironic_all.yml b/tests/group_vars/ironic_all.yml new file mode 100644 index 00000000..cc63c9fd --- /dev/null +++ b/tests/group_vars/ironic_all.yml @@ -0,0 +1,17 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +properties: + service_name: ironic diff --git a/tests/inventory b/tests/inventory index ada96ee8..8f4d73af 100644 --- a/tests/inventory +++ b/tests/inventory @@ -1,8 +1,47 @@ [all] -localhost ansible_connection=local ansible_become=True +localhost ansible_connection=local ansible_become=True ansible_user=root +infra1 ansible_host=10.100.100.101 ansible_become=True ansible_user=root +ironic1 ansible_host=10.100.100.102 ansible_become=True ansible_user=root # Note(mrda): 'ironicinstallhost' will need to externally resolve to where # you want to do an 'allinone' install, and the root account will need to have # your ssh public_key in it's /root/.ssh/authorized_keys file [installhost] installhost ansible_user=root ansible_ssh_port=22 ansible_ssh_host=ironicinstallhost + +[ironic_all:children] +ironic_api +ironic_conductor +ironic_server + +[ironic_api] +ironic1 + +[ironic_conductor] +ironic1 + +[ironic_server] +ironic1 + +[hosts] +localhost + +[all_containers] +infra1 +ironic1 + +[keystone_all] +infra1 + +[service_all:children] +rabbitmq_all +galera_all + +[rabbitmq_all] +infra1 + +[galera_all] +infra1 + +[utility_all] +localhost diff --git a/tests/test-install-infra.yml b/tests/test-install-infra.yml new file mode 100644 index 00000000..d8e0235e --- /dev/null +++ b/tests/test-install-infra.yml @@ -0,0 +1,32 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Playbook for deploying infra services + hosts: service_all + user: root + gather_facts: true + roles: + - role: "rabbitmq_server" + rabbitmq_cookie_token: secrete + - role: "galera_server" + galera_root_password: secrete + galera_root_user: root + galera_innodb_buffer_pool_size: 512M + galera_innodb_log_buffer_size: 32M + galera_server_id: "{{ inventory_hostname | string_2_int }}" + galera_wsrep_node_name: "{{ inventory_hostname }}" + galera_wsrep_provider_options: + - { option: "gcache.size", value: "32M" } + galera_server_id: "{{ inventory_hostname | string_2_int }}" diff --git a/tests/test-install-ironic.yml b/tests/test-install-ironic.yml new file mode 100644 index 00000000..a787a5ca --- /dev/null +++ b/tests/test-install-ironic.yml @@ -0,0 +1,62 @@ +--- +# Copyright 2015, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Playbook for installing Ironic + hosts: ironic_all + remote_user: root + pre_tasks: + - name: Ensure Rabbitmq vhost + rabbitmq_vhost: + name: "{{ ironic_rabbitmq_vhost }}" + state: "present" + delegate_to: "10.100.100.101" + - name: Ensure rabbitmq user + rabbitmq_user: + user: "{{ ironic_rabbitmq_userid }}" + password: "{{ ironic_rabbitmq_password }}" + vhost: "{{ ironic_rabbitmq_vhost }}" + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + state: "present" + delegate_to: "10.100.100.101" + - name: Create database for ironic + mysql_db: + login_user: "{{ galera_root_user }}" + login_password: "{{ galera_root_password }}" + login_host: "localhost" + name: "{{ ironic_galera_database }}" + state: "present" + delegate_to: "10.100.100.101" + run_once: true + - name: Grant access to the DB + mysql_user: + login_user: "{{ galera_root_user }}" + login_password: "{{ galera_root_password }}" + login_host: "localhost" + name: "{{ ironic_galera_user }}" + password: "{{ ironic_galera_password }}" + host: "{{ item }}" + state: "present" + priv: "{{ ironic_galera_database }}.*:ALL" + with_items: + - "localhost" + - "%" + delegate_to: "10.100.100.101" + run_once: true + roles: + - role: "{{ rolename | basename }}" + vars_files: + - test-vars.yml diff --git a/tests/test-install-keystone.yml b/tests/test-install-keystone.yml new file mode 100644 index 00000000..9645f739 --- /dev/null +++ b/tests/test-install-keystone.yml @@ -0,0 +1,65 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Playbook for deploying keystone + hosts: keystone_all + user: root + gather_facts: true + pre_tasks: + - name: Ensure rabbitmq vhost + rabbitmq_vhost: + name: "{{ keystone_rabbitmq_vhost }}" + state: "present" + delegate_to: "10.100.100.101" + when: inventory_hostname == groups['keystone_all'][0] + - name: Ensure rabbitmq user + rabbitmq_user: + user: "{{ keystone_rabbitmq_userid }}" + password: "{{ keystone_rabbitmq_password }}" + vhost: "{{ keystone_rabbitmq_vhost }}" + configure_priv: ".*" + read_priv: ".*" + write_priv: ".*" + state: "present" + delegate_to: "10.100.100.101" + when: inventory_hostname == groups['keystone_all'][0] + - name: Create DB for service + mysql_db: + login_user: "{{ galera_root_user }}" + login_password: "{{ galera_root_password }}" + login_host: "localhost" + name: "{{ keystone_galera_database }}" + state: "present" + delegate_to: "10.100.100.101" + when: inventory_hostname == groups['keystone_all'][0] + - name: Grant access to the DB for the service + mysql_user: + login_user: "{{ galera_root_user }}" + login_password: "{{ galera_root_password }}" + login_host: "localhost" + name: "{{ keystone_galera_user }}" + password: "{{ keystone_container_mysql_password }}" + host: "{{ item }}" + state: "present" + priv: "{{ keystone_galera_database }}.*:ALL" + with_items: + - "localhost" + - "%" + delegate_to: "10.100.100.101" + when: inventory_hostname == groups['keystone_all'][0] + roles: + - role: os_keystone + vars_files: + - test-vars.yml diff --git a/tests/test-prepare-containers.yml b/tests/test-prepare-containers.yml new file mode 100644 index 00000000..932d6819 --- /dev/null +++ b/tests/test-prepare-containers.yml @@ -0,0 +1,33 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Playbook for creating containers + hosts: all_containers + connection: local + gather_facts: false + roles: + - role: "lxc_container_create" + lxc_container_release: trusty + lxc_container_backing_store: dir + global_environment_variables: + PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + post_tasks: + - name: Wait for ssh to be available + local_action: + module: wait_for + port: "{{ ansible_ssh_port | default('22') }}" + host: "{{ ansible_ssh_host | default(inventory_hostname) }}" + search_regex: OpenSSH + delay: 1 diff --git a/tests/test-prepare-host.yml b/tests/test-prepare-host.yml new file mode 100644 index 00000000..3af1adb7 --- /dev/null +++ b/tests/test-prepare-host.yml @@ -0,0 +1,77 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Playbook for configuring the LXC host + hosts: localhost + pre_tasks: + # Make sure OS does not have a stale package cache. + - name: Update apt cache + apt: + update_cache: yes + when: ansible_os_family == 'Debian' + - name: Ensure root's new public ssh key is in authorized_keys + authorized_key: + user: root + key: "{{ hostvars['127.0.0.1']['lxc_container_ssh_key'] }}" + manage_dir: no + - set_fact: + lxc_container_ssh_key: "{{ hostvars['127.0.0.1']['lxc_container_ssh_key'] }}" + - name: Check if this is an OpenStack-CI nodepool instance + stat: + path: /etc/nodepool/provider + register: nodepool + - name: Set the files to copy into the container cache for OpenStack-CI instances + set_fact: + lxc_container_cache_files: + - { src: '/etc/pip.conf', dest: '/etc/pip.conf' } + - { src: '/etc/apt/apt.conf.d/99unauthenticated', dest: '/etc/apt/apt.conf.d/99unauthenticated' } + when: nodepool.stat.exists | bool + - name: Determine the existing Ubuntu repo configuration + shell: 'awk "/^deb .*ubuntu\/? {{ ansible_distribution_release }} main/ {print \$2; exit}" /etc/apt/sources.list' + register: ubuntu_repo + changed_when: false + - name: Set apt repo facts based on discovered information + set_fact: + lxc_container_template_main_apt_repo: "{{ ubuntu_repo.stdout }}" + lxc_container_template_security_apt_rep: "{{ ubuntu_repo.stdout }}" + roles: + - role: "lxc_hosts" + lxc_net_address: 10.100.100.1 + lxc_net_dhcp_range: 10.100.100.200,10.100.100.250 + lxc_net_bridge: lxcbr0 + lxc_kernel_options: + - { key: 'fs.inotify.max_user_instances', value: 1024 } + lxc_container_caches: + - url: "https://rpc-repo.rackspace.com/container_images/rpc-trusty-container.tgz" + name: "trusty.tgz" + sha256sum: "56c6a6e132ea7d10be2f3e8104f47136ccf408b30e362133f0dc4a0a9adb4d0c" + chroot_path: trusty/rootfs-amd64 + - role: "openstack_openrc" + post_tasks: + # In the gate these packages get installed into .tox/functional, which is + # not where we need them to be. If we can figure out how to override this + # we can revert to using the pip module instead. + - name: Install pip packages + command: /usr/local/bin/pip install {{ item }} + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: + - lxc-python2 + - python-openstackclient + - python-ironicclient + vars_files: + - test-vars.yml diff --git a/tests/test-prepare-keys.yml b/tests/test-prepare-keys.yml new file mode 100644 index 00000000..5a1c9ec2 --- /dev/null +++ b/tests/test-prepare-keys.yml @@ -0,0 +1,31 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Playbook for establishing ssh keys + hosts: 127.0.0.1 + connection: local + become: false + pre_tasks: + - name: Create ssh key pair for root + user: + name: "{{ ansible_ssh_user }}" + generate_ssh_key: "yes" + ssh_key_bits: 2048 + ssh_key_file: ".ssh/id_rsa" + - name: Get the calling user's key + command: cat ~/.ssh/id_rsa.pub + register: key_get + - set_fact: + lxc_container_ssh_key: "{{ key_get.stdout }}" diff --git a/tests/test-vars.yml b/tests/test-vars.yml new file mode 100644 index 00000000..5de65d43 --- /dev/null +++ b/tests/test-vars.yml @@ -0,0 +1,69 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +debug: True +galera_client_drop_config_file: false +galera_root_user: root +galera_root_password: "secrete" +rabbitmq_servers: 10.100.100.101:5672 +rabbitmq_use_ssl: False +memcached_servers: 127.0.0.1 +memcached_encryption_key: "secrete" +keystone_venv_tag: "testing" +keystone_developer_mode: true +keystone_git_install_branch: stable/mitaka +keystone_requirements_git_install_branch: stable/mitaka +keystone_service_password: "secrete" +keystone_galera_address: 10.100.100.101 +keystone_galera_database: keystone +keystone_galera_user: keystone +keystone_container_mysql_password: "SuperSecrete" +keystone_auth_admin_token: "SuperSecreteTestToken" +keystone_admin_user_name: admin +keystone_admin_tenant_name: admin +keystone_auth_admin_password: "SuperSecretePassword" +keystone_service_internaluri: "http://10.100.100.101:5000" +keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3" +keystone_service_internaluri_insecure: false +keystone_service_adminuri: "http://10.100.100.101:35357" +keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3" +keystone_service_adminuri_insecure: false +keystone_service_publicuri: "{{ keystone_service_internaluri }}" +keystone_service_publicurl: "{{ keystone_service_internalurl }}" +keystone_rabbitmq_vhost: /keystone +keystone_rabbitmq_userid: keystone +keystone_rabbitmq_password: "secrete" +keystone_rabbitmq_use_ssl: false +keystone_rabbitmq_port: 5672 +keystone_rabbitmq_servers: 10.100.100.101 +openrc_os_auth_url: "{{ keystone_service_internalurl }}" +openrc_os_password: "{{ keystone_auth_admin_password }}" +openrc_os_domain_name: "Default" +ironic_venv_tag: "testing" +ironic_developer_mode: true +ironic_git_install_branch: stable/mitaka +ironic_requirements_git_install_branch: stable/mitaka +ironic_service_publicuri: "http://10.100.100.102:6385" +ironic_service_adminuri: "{{ ironic_service_publicuri }}" +ironic_service_internaluri: "{{ ironic_service_publicuri }}" +ironic_service_password: "secrete" +ironic_galera_address: 10.100.100.101 +ironic_galera_database: ironic +ironic_galera_user: ironic +ironic_galera_password: "SuperSecrete" +ironic_rabbitmq_password: "secrete" +ironic_rabbitmq_userid: ironic +ironic_rabbitmq_vhost: /ironic +ironic_standalone: True diff --git a/tests/test.yml b/tests/test.yml index cecb8c3c..ba2c3cd8 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,5 +1,5 @@ --- -# Copyright 2015, Rackspace US, Inc. +# Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,8 +13,20 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Playbook for role testing - hosts: localhost - remote_user: root - roles: - - role: "{{ rolename | basename }}" +# Prepare the user ssh keys +- include: test-prepare-keys.yml + +# Prepare the host +- include: test-prepare-host.yml + +# Prepare the containers +- include: test-prepare-containers.yml + +# Install RabbitMQ/MariaDB +- include: test-install-infra.yml + +# Install Keystone +- include: test-install-keystone.yml + +# Install Ironic +- include: test-install-ironic.yml diff --git a/tox.ini b/tox.ini index 2273cc8f..068e8a5e 100644 --- a/tox.ini +++ b/tox.ini @@ -15,7 +15,7 @@ whitelist_externals = bash git rm - echo + wget setenv = VIRTUAL_ENV={envdir} ANSIBLE_HOST_KEY_CHECKING = False @@ -106,25 +106,20 @@ commands = [testenv:functional] commands = - echo -e "\n *******************************************************\n" \ - "**** Functional Testing is still to be implemented ****\n" \ - "**** TODO: Write tests here ****\n" \ - "*******************************************************\n" - # As a temporary measure, while functional testing is being worked on, we - # will not execute the functional test. This allows other patches to be - # worked on while the functional testing is being worked out. - #rm -rf {homedir}/.ansible - #git clone https://git.openstack.org/openstack/openstack-ansible-plugins \ - # {homedir}/.ansible/plugins - #ansible-galaxy install \ - # --role-file={toxinidir}/tests/ansible-role-requirements.yml \ - # --ignore-errors \ - # --force - #ansible-playbook -i {toxinidir}/tests/inventory \ - # -e "rolename={toxinidir}" \ - # -vv \ - # {toxinidir}/tests/test.yml - + rm -rf {homedir}/.ansible + git clone https://git.openstack.org/openstack/openstack-ansible-plugins \ + {homedir}/.ansible/plugins + # This plugin makes the ansible-playbook output easier to read + wget -O {homedir}/.ansible/plugins/callback/human_log.py \ + https://gist.githubusercontent.com/cliffano/9868180/raw/f360f306b3c6d689734a6aa8773a00edf16a0054/human_log.py + ansible-galaxy install \ + --role-file={toxinidir}/tests/ansible-role-requirements.yml \ + --ignore-errors \ + --force + ansible-playbook -i {toxinidir}/tests/inventory \ + -e "rolename={toxinidir}" \ + -vv \ + {toxinidir}/tests/test.yml [testenv:linters] commands =